Kangaroo Ransomware

Kangaroo Ransomware is an infection that, according to our research team, is a new variant of the infamous Apocalypse Ransomware. Also, it is similar to the Esmeralda Ransomware. Clearly, it is not a unique infection; however, that does not make much difference. Sure, we might know more about this malware, but the reality is that none of these infections can be overcome easily. Once they encrypt the files found on the targeted operating system, there is very little anyone can do. The two main options are paying the ransom requested by cyber criminals or losing the files altogether, and neither of these options is good. Unfortunately, there is a possibility that the ransom payment will be collected but the decryption software promised will not be offered for you. Needless to say, we do not recommend paying the ransom because that might result in the loss of your data and your money at the same time. Continue reading to learn more about this malware and how to remove Kangaroo Ransomware.

According to the information we have gathered, the malicious Kangaroo Ransomware is spread by exploiting the Remote Desktop Protocol. If the infection is executed on your operating system successfully, you face a pop-up that includes the name of the infection, your unique ID number, and an encryption key. Only if you click the “Copy and Continue” button does the ransomware start encrypting your personal files. Needless to say, this move is quite strange, and it is unlikely that many users will click a button that is clearly linked to a malicious infection. If you do, the ransomware quickly starts encrypting your personal files. Although Kangaroo Ransomware ignores the files in the Windows folder, and it evades all files that have .dat, .bat, .bin, .ini, .dll, .exe, .tmp, .lnk, .com, .encrypted, .msi, and .sys extensions, it can do a lot of damage. This infection is primarily targeted at your personal files, and you will not recover them be removing the ransomware itself. On top of that, this infection uses the “/c vssadmin delete shadows /all /quiet” command to delete Volume Shadow Copies, which are created if a system restore point is set up.

Once the encryption operation is complete, Kangaroo Ransomware adds the “.crypted_file” extension to all files. Unfortunately, you will not be able to check the encrypted files right away because of the screen-locking window that appears. This window displays the ransom note. You will face the same ransom note if your restart the computer (a screen with the note appears right before the login screen). If you unlock the PC, you will find it in the TXT file that is created for every file (e.g., file.jpg.Instructions_Data_Recovery.txt) as well. The purpose of this ransom note is to convince you that your Windows operating system has encountered a critical problem that has put your personal data at risk. Although it is stated that the files were encrypted to protect them, in reality, cyber criminals use false information to trick you into emailing them at kangarooencryption@mail.ru. If you disclose your personal ID (included in the note), they will quickly ask to pay a ransom, and that is extremely risky. The so-called “Unlock-Password” and “Kangaroo Decryption Software” tools might be fictitious, and you do not want to waste your savings on fictitious programs. If you install additional third-party software, you will need to delete it as well.

As you already know, Kangaroo Ransomware locks the computer to introduce you to a misleading ransom note. The good news is that you can circumvent the lockdown by rebooting into Safe Mode. If you have already made up your mind about installing automated malware detection and removal software – which is the option we recommend – you should reboot into Safe Mode with Networking. However, if you want to delete Kangaroo Ransomware manually, you can also reboot in Safe Mode. Once you do that, you have to eliminate the malicious .exe file, as well as its copy, which might be named “explorer.exe”. You also need to erase registry values associated with the ransomware. Although it is not the easiest of operations, it is not that difficult to erase the ransomware manually. If you are having any problems, leave a comment below, and we will address your issues as soon as we can.